HIPAA - An Introduction to the New Privacy Rules for Medical Information

A new law governing the privacy, security & electronic transmission of health care data is rippling through the health care industry, affecting both institutions and medical providers.

The privacy rules of the Health Insurance Portability and Accountability Act, with which medical providers, health care plans and organizations must comply, states that unauthorized persons can't have access to private medical data. These new rules affect medical providers who download patient information from a network to a home computer, anyone who works on patient information at home, and how patient information is shared between consultants and referring providers.

The new rules are the first standard for protecting the privacy of health records in the US, and apply to both US citizens and non-citizens. The initial rules only applied to electronic medical records, but now include written and oral communications about patients.

Banks and other financial institutions are working on following similar rules in the Gramm-Leach-Bliley Act.

Health care organizations must standardize data formats for electronic transactions, such as digital prescriptions. Many started early: a February 2001 survey of 225 health care organizations revealed that 65% had general HIPAA education programs in place and 50% had began risk assessments.

The second deadline for HIPAA is April 2003, which requires implementing privacy and security provisions for patient data.

How could the new rules affect PAs? If you access patient information at work, your computer screen could be repositioned so that others cannot see it. Your computer department may install screen savers with just a five minute time out so that others may not see patient information when you step away from the computer.

For example, The Connecticut Hospice, Inc., based in Branford, has built higher counters at secretarial and nursing stations, put blinders along the sides of monitors to shield screens, and installed one keystroke screen savers.

If you have access to patient records at home, your employer may require your attendance at an educational program about the new rules. You could also be asked to sign formal rules for your home use of records. These could include the requirement that the records would only be reviewed in a home office that is secure from the rest of the family on password protected computers.

Since the penalties for breaches include sever fines and possible jail time, your employer could require you to use encryption or a special type of closed network (virtual private network). They could even require you to use an eye or fingerprint scanner on your home computer to lock out unauthorized access.

The rules for patient access to information have undergone extensive revisions, and include provisions for patients to review their medical records and correct mistakes in them. Patients are also entitled to review the documentation of disclosures of their health information.

A final note of interest for PAs: the new regulations require organizations to designate an official to oversee privacy practices and training.

For more information or to ask a question about HIPAA , see the Resources listed below.

A HIPAA Primer

Who?
Health insurers,
healthcare
clearinghouses,
health care providers,
 and their business
partners that handle
identifiable patient
information.

Electronic
Transactions
Standard data
content and formats
for electronic claims
and administrative
processes by
October 2002.

Privacy
Regulations were
completed in 2000,
but the Bush
administration has
said it will modify
some of them.

Organizations must
have policies on who
gets to see patient
information and
when it is allowed.
Covers paper,
electronic, and oral
communication of
patient records.

Gives patient's
control over who
may see their
information, as
well as correcting
mistakes and
learning where their
information has
been sent.

Security
Not yet finalized.
Current rules require
a security officer to
monitor privacy
practices, hear
patient complaints,
and monitor
corrections to records
made by patients.